Understanding how attackers get in is the critical first step to mounting an effective defense.
By Sean Deuby | Director of Services, Semperis
Cyberattacks in any industry cause multiple forms of damage. But attacks on public infrastructure—such as transportation systems and public utilities—can cause wholesale disruptions in daily life or threaten public safety. The U.S. Department of Homeland Security (DHS), and its subsidiary Cybersecurity and Infrastructure Security Agency (CISA), administer the National Infrastructure Protection Plan to protect all sectors of “critical infrastructure” of fundamental concern for vulnerability and resiliency. See https://www.cisa.gov/national-infrastructure-protection-plan .
A few high-profile attacks, such as the Colonial Pipeline ransomware attack in May 2021, brought cyberattacks to the forefront for people on the U.S. East Coast who experienced gas shortages and higher prices. Following the attack, Colonial Pipeline proactively took some systems offline—including 8,850 kilometers of gas pipelines—to address the threat.
The increase in attacks on public infrastructure signals that for some cybercriminals, the gloves are now off. For some, the goal of a ransomware attack isn’t solely to make money but rather to simply wreak havoc, disrupt services, and incite panic. Any sense of morality that might have been ascribed to threat actors in the past seems to have disappeared in the last couple of years.
Another case that proves this point is the attack on a water treatment facility in the small U.S. town of Oldsmar, Florida, in April 2021. During the time that the breach went undetected, the threat actors were able to manipulate the system to increase the amount of sodium hydroxide in the water supply. Although the attack was mitigated before the substance reached a health-threatening level, the potential for cyberattackers to endanger lives is real.
Public infrastructure organizations can strengthen their defenses against attacks by understanding the entry points for these attacks, addressing challenges inherent to the industry, and implementing new practices to guard against the current threat landscape.
Addressing identity system challenges in public infrastructure organizations
Public infrastructure organizations face unique challenges with securing their identity systems. Because many utilities manage infrastructure that is critical to daily life, nation states and other malicious actors have an interest in developing cyber weapons that target utilities, according to a Siemens/Ponemon Institute survey of global utility companies. The study called out several factors reported by utilities operators that undermine efforts to improve security posture, including:
- Lack of technical skills needed to identify threats
- Poor alignment between operational IT teams and security teams to recognize threats originating in the identity or other IT systems
- Outdated security practices, including limited understanding of the current threat landscape and risk-based best practices
- Lack of investment in training and personnel
- Inadequate cyberattack response plan and slow response to past incidents
- Deployment of digital and networked equipment, providing new targets for cybercriminals—and far-reaching consequences
The obstacles are daunting, but by implementing a systematic approach to closing security gaps in the identity system, public infrastructure organizations can significantly improve their security posture—a worthy goal given that these systems are clearly becoming a favored target for cybercriminals.
Closing the attack entry points in the identity system
Understanding how attackers get in is the critical first step to mounting an effective defense. In both the Colonial Pipeline and the Oldsmar attacks, threat actors targeted Active Directory, which is the core authentication service used by 90 percent of businesses worldwide. AD is a common attack path for cybercriminals because of its size, complexity, and tendency toward configuration drift, especially in large organizations with 20-year-old AD implementations.
The Colonial Pipeline attack was carried out by the DarkSide group, one of many ransomware-as-a-service (RaaS) organizations that have pooled their cybercrime skills to carry out attacks on behalf of clients. These groups operate systematically to gain access to an organization’s infrastructure through AD security weaknesses:
- They use penetration tools to gain access to the system, then start their reconnaissance efforts
- Next, the threat actors will spend days or weeks (or months, in the case of the SolarWinds attack) hunting for vulnerabilities and gaining access to privileged user accounts
- After gaining control of the assets they crave, they complete their mission—whether it is poisoning a public water supply, encrypting sensitive data in exchange for a ransomware payment, or other evil deeds
Although DarkSide claims to have some principles (declining to attack hospitals or schools, for example), the group strikes only lucrative targets and exhibits impressive patience by lurking within systems sometimes for months in order to locate the most valuable assets.
Systematically identifying and addressing Active Directory vulnerabilities is an essential step in guarding against cyberattacks. Even the sophisticated RaaS groups prefer to take the easy path—when it works—rather than devising new tactics. Although the work can be tedious and time-consuming, implementing good AD security hygiene is achievable with focus, time, and effort.
Protecting organizations before, during, and after the attack
The first step in defending against identity system attacks is identifying and addressing vulnerabilities that are prime targets for cyberattackers. Especially for large, established organizations with legacy Active Directory systems, risky settings can accumulate over time, leading to easily exploitable security gaps.
For example, some of the most common and riskiest configuration errors in Active Directory are related to the authentication process. Let’s say an organization uses an application that doesn’t directly integrate with AD, but the application needs to query AD for active users. The easiest way to facilitate this process is to enable anonymous access to Active Directory. But if that setting is enabled without any mitigating controls, the organization’s risk profile would substantially increase. This is just one example of lax password policies that can open the door to cyberattackers.
Permitting excessive permissions is another practice that initially saves time or addresses a perceived need for urgent access to business-critical applications and services—but leaves dangerous security weaknesses. In too many cases, after the privileged access is granted, the ticket is closed and that access is never reviewed again. Over time, the number of excessive permissions continues to grow. It’s not uncommon for AD environments to have unnecessarily high numbers of domain administrators. Service accounts with excessive permissions also pose a high risk because their passwords are usually set to not expire, and many have weak passwords.
To identify and address these security risks, organizations need to invest time and resources in evaluating risky AD settings. Regularly scanning AD provides insight into its security posture and reduces the risk of unauthorized changes or misconfigurations going undetected. (One tool that can help with this is Purple Knight, a free AD security assessment tool that scans the AD environment for indicators of compromise or exposure.)
Beyond closing AD security gaps, public infrastructure organizations can implement solutions that continually monitor the environment for malicious changes. The ability to detect attackers moving laterally through the network can substantially limit the damage done. Attack paths can be closed before the malicious actors are able to deploy malware, for example. And setting up automated remediation can help defuse an attack when every minute counts. Cyberattacks can infect globally connected systems in minutes, so the ability to automatically reverse malicious changes helps contain the fallout.
In the event of a cyberattack, one of the key factors in resuming delivery of public services is being able to quickly recover Active Directory to a known-secure state. As any IT administrator can attest, rebuilding an AD forest is a laborious, time-consuming process that is prone to errors. Rebuilding an AD forest while under the stress of an in-progress attack is the stuff of nightmares. Every organization needs to have a fully tested, documented plan for recovering AD—the system that authenticates and grants access to all other systems—in the event of a cyberattack.
Ensuring public services are safe from cyberattacks
Although public infrastructure organizations are in the crosshairs of attackers, they can improve their defenses against even the most sophisticated attacks. By evaluating the security posture of their Active Directory environment, setting up monitoring to detect malicious changes, and implementing a fully tested AD recovery plan, these organizations will be better positioned to combat attacks and continue to deliver vital public services.
About the Author
Sean Deuby | Director of Services, Semperis
Sean Deuby brings 30 years’ experience in Enterprise IT and Hybrid Identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel’s Active Directory, Texas Instrument’s Windows NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is also an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / Identiverse conferences.
For more information, visit http://www.semperis.com